Like you, I’ve seen the memes and articles floating around social media about checking ATMs for the telltale signs of an ATM Skimmer; loose card ports, keypads sticking up and general shadiness. It’s always one of those things I’ve kept in the back of mind, even though I never took it terribly seriously. This time it paid off!
The ATM was sitting by the restroom of a semi clean 7/11. It was the small freestanding variety that’s standard fare amongst small smelly gas stations. Nothing seemed out of place as I walked up with debit card in hand. The ATM’s screen was displaying instructions and its plastic card slot was glowing green.
It always happens to someone else, until it happens to you
I gave the green card reader a tug then inserted my card, all muscle memory. I moved to punch in my pin and then thought, “wait a second, that didn’t feel right.” As I pulled my card back out and tugged at the reader one more time I sat perplexed. “Am I imagining this, or is there just a bit of play there?” I pulled harder and the card reader gave a bit. I pulled harder still and at this point, it became apparent there was a gap between the device and the ATM that I could see green plastic underneath. “No way,” I thought to myself.
Once I’d gotten this far, I decided to go get the store clerk, as I figured he wouldn’t be too happy if he looked over and saw me trying to take apart the ATM. He gave it a tug then looked at me, fairly unconcerned and unconvinced. Having told him what was going on, I felt more confident about manhandling the ATM. So before he could protest, I flipped open my folding knife and wedged the spine into the space between the reader and machine; off popped the card reader.
The clerk and I stared at each other wide eyed and then looked to the card readers, one of which was now in my hand with the other still on the ATM. The reader in my hand was identical to the actual reader and fit on top of it the same way you’d stack a couple of Dixie cups together. Additionally, it was held tight to the machine via industrial strength double-sided adhesive. I’d discovered a definitive case of “it always happens to someone else, until it happens to you.”
Credit and debit card theft is one of the most popular crimes in the world. Chances are that you, or someone you know, has had their credit card number stolen and had to go through the new credit card dance. This involves phone calls with the bank, ordering a new card, updating credit card information on all of your autopay setups, etc. For those who have gone through the process, it’s highly annoying at a minimum. For me, it seems to happen once every year or two and it’s really inconvenient if it happens while you’re on a road trip and need to get gas (ask me how I know). The automated world we live in makes the process even more troublesome.
Card thieves tend to target smaller, obscure gas stations, trying to minimize the chances of being caught. Though this doesn’t mean they won’t target a larger and more crowded gas station. Here in Texas, credit card fraud is a felony, with an interesting clause that makes it a third-degree felony if committed against an elderly person, so these thieves come up with ingenious ways to limit their culpability.
To install the reader, the culprit will ready the card reading equipment and act like they’re using the ATM machine normally. They then quickly slip the adhesive backed card reader and pin logger onto the machine. Often times they’ll have a second person standing next to the ATM acting as a physical block to prevent their activities from being seen by security cameras or store employees.
The ATM Skimmer devices are run off small batteries and the perpetrator generally comes back 24-48 hours later to retrieve the equipment, as the reader and logger are useless once the battery runs out. They may even take the exhausted devices off and install new devices to continue the cycle of gathering card information. If you’ve used the ATM with the ATM Skimmer installed, the thieves now have your card and pin numbers. This usually results in receiving a phone call from your bank within a couple days, asking if you’re making online purchases from Alaska. (Once again, ask me how I know.)
ATM Skimmers are usually simple, constructed using hot glue and readily available small electronics. Many times, they’re built with components from old phones. There are two parts to the skimming operation: the card reader and the pin logger.
The actual card reader itself is what most people are familiar with, as it’s usually on prominent display anytime there’s a news story on an ATM skimmer. Just like actual card readers on different ATMs, the readers can take many forms. The one you may be most familiar with is the round green card reader shown in our photos. Criminals place a magnetic strip reader in the false cover that scans your card number when you insert it, but still allows the ATM to work as normal. The thieves can’t do a whole lot with just the number however, as banks are always increasing theft controls and these days you just can’t use the card number by itself to pull out money, or make purchases.
After finding the reader, I immediately called the local Fort Worth Police Department to report the finding. I then shot the photos over to a local DFW Police Officer buddy of mine, Mike E., who replied saying “an ATM Skimmer usually also has a pinhole camera that’s on the bottom side of the pin pad shroud, looking down onto the pad. Sometimes if there’s a pamphlet container on the ATM, they’ll hide a camera there as well.”
I went to back into the gas station and lo and behold, there was the camera hiding in plain sight. Once again I used my knife to pry the device off of the ATM. It was powered by what appeared to be an old cell phone camera, two batteries and used a MicroSD card to store the video. While I don’t recommend it, due to the chances of malware being installed, I downloaded the information from the pin camera and pulled the various frames grabs used in this article from those videos. Additionally, both items were also turned over to Fort Worth Police as evidence.
There are two commonly used methods of reading pin numbers, the first of which is a false keypad. Thieves will place a form fitting keypad over the real one to record your pin as you punch it in and then later correlate the pin with your card number.
The pinhole camera method is a little less refined, but pretty effective nonetheless. Criminals simply place a small camouflaged camera above the keypad to record you punching in your pin. This is what they utilized with the ATM Skimmer I found. Some card readers are equipped with a Bluetooth device that transfers the information to a nearby thief. While this method has drawbacks, such as high component price and short battery life, it also limits the culpability of the perpetrator as they don’t have to physically go into the store to retrieve the information.
Once the culprits have your information, there are a few things they can do with it. First, they can simply use it themselves by either ordering merchandise online or coding the information onto a credit card “blank” for physical purchases and withdrawals. Officer Mike also mentioned that many times they’ll simply compile the information into a bundle and sell it online. With this method, the information usually makes its way overseas and is why a good amount of card fraud is shown to originate from a foreign country. Once again, this limits the culpability of the thieves and makes it difficult to find and prosecute them.
The first step in preventing these situations is something that regular readers will find as no surprise and that’s advocating situational awareness. You should have your head on a swivel while at an ATM anyway, given the opportunity for a criminal to make a quick buck off of you, but you also need to check the machine itself. Give the card reader a good hard tug and do the same with the keypad. The stock devices won’t have much play, if any at all.
Also give the machine a good and detailed visual look. While the ATM Skimmer I encountered was well made and blended in nicely with the machine, there were definitely craftsmanship inconsistencies upon closer inspection. These included sloppy spray painting and a haphazardly cut credit card slot. Additionally, both the card reader and logger weren’t flush with the ATM, although they still looked like they belonged. Generally speaking, the real ATM readers and pads sit flush, or even recessed inside the machine while the fake ones stick out like in the photo above. You should also always try to avoid using ATMs at a gas station, or anywhere that’s not closely monitored, or obscured from view. Going to your bank may be the best option, but be aware that even bank ATMs aren’t impervious to nefarious characters.
In the end it will always be a tail-chasing scenario when it comes to battling technological theft, but there are ways you can mitigate the loss of information. While this article focused on ATMs, due to the fact it’s is where I found the ATM skimmer devices, perpetrators will use any device that you interact with using a credit card, such as gas pumps and pay-to-park kiosks. Doing what you can to protect yourself is paramount and you should always be prepared with a secondary method of payment, should the theft happen at an inopportune time. As always, you should be prepared to prevail against life’s threats, no matter what shape they take.
The post An ATM Skimmer Almost Stole My Credit Card! This is How to Spot Them and How They Work appeared first on ITS Tactical.
Read more: itstactical.com